mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-01-29 21:08:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
e753480a0540df86cba94b04824aa9d9e7fe3932
poky/meta/recipes-support
History
Yogita Urade 4543508143 curl: fix CVE-2025-9086 
1, A cookie is set using the secure keyword for https://target
2, curl is redirected to or otherwise made to speak with http://target
(same hostname, but using clear text HTTP) using the same cookie set
3, The same cookie name is set - but with just a slash as path (path="/").
Since this site is not secure, the cookie should just be ignored.
4, A bug in the path comparison logic makes curl read outside a heap buffer boundary

The bug either causes a crash or it potentially makes the comparison come to
the wrong conclusion and lets the clear-text site override the contents of
the secure cookie, contrary to expectations and depending on the memory contents
immediately following the single-byte allocation that holds the path.

The presumed and correct behavior would be to plainly ignore the second set of
the cookie since it was already set as secure on a secure host so overriding
it on an insecure host should not be okay.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-9086

Upstream patch:
https://github.com/curl/curl/commit/c6ae07c6a541e0e96d0040afb6

(From OE-Core rev: b0cc7001a628deaa96d1aebb5ded52797898a0be)

Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
2025-09-30 08:01:59 -07:00
..
appstream
appstream: upgrade 1.0.2 -> 1.0.3
2024-06-20 06:29:43 -07:00
apr
apr: upgrade 1.7.4 -> 1.7.5
2024-09-09 06:08:10 -07:00
argp-standalone
argp-standalone: replace with a maintained fork
2022-11-01 17:34:59 +00:00
aspell
aspell: upgrade 0.60.8 -> 0.60.8.1
2024-01-01 23:11:42 +00:00
atk
at-spi2-core: upgrade 2.50.0 -> 2.50.1
2024-02-03 22:08:25 +00:00
attr
acl: upgrade 2.3.1 -> 2.3.2
2024-03-07 17:25:02 +00:00
bash-completion
bash-completion: upgrade 2.11 -> 2.12.0
2024-03-01 09:28:51 +00:00
bmaptool
bmaptool: update to latest
2024-03-23 10:18:20 +00:00
boost
boost: fix do_fetch error
2025-01-25 06:20:37 -08:00
ca-certificates
meta/meta-selftest/meta-skeleton: Update LICENSE variable to use SPDX license identifiers
2022-02-20 16:45:25 +00:00
consolekit
consolekit: Disable incompatible-pointer-types warning as error
2024-06-20 06:29:43 -07:00
curl
curl: fix CVE-2025-9086
2025-09-30 08:01:59 -07:00
db
db: ignore implicit-int and implicit-function-declaration issues fatal with gcc-14
2024-06-20 06:29:44 -07:00
debianutils
debianutils: upgrade 5.15 -> 5.16
2024-01-21 12:27:12 +00:00
diffoscope
diffoscope: upgrade 253 -> 259
2024-03-07 17:25:02 +00:00
dos2unix
dos2unix: upgrade 7.5.1 -> 7.5.2
2024-02-03 22:08:26 +00:00
enchant
enchant2: fix do_fetch error
2024-11-18 06:59:35 -08:00
fribidi
fribidi: upgrade 1.0.13 -> 1.0.14
2024-07-17 05:36:13 -07:00
gdbm
gdbm: Use C11 standard
2025-09-01 08:30:56 -07:00
gmp
gmp: Fix build with older gcc versions
2025-09-01 08:30:56 -07:00
gnome-desktop-testing
recipes: Default to https git protocol where possible
2023-05-05 11:07:25 +01:00
gnupg
gnupg: update 2.4.5 -> 2.4.8
2025-07-07 07:42:58 -07:00
gnutls
gnutls: patch CVE-2025-6395
2025-08-04 07:55:06 -07:00
gpgme
gpgme: move gpgme-tool to own sub-package
2024-08-06 19:11:18 -07:00
icu
icu: fix CVE-2025-5222
2025-07-11 08:11:53 -07:00
iso-codes
iso-codes: upgrade 4.15.0 -> 4.16.0
2024-02-03 22:08:25 +00:00
itstool
itstool: add missing COPYING.GPL3
2022-04-14 09:47:00 +01:00
libassuan
libassuan: upgrade 2.5.5 -> 2.5.6
2023-06-28 07:56:33 +01:00
libatomic-ops
libatomic-ops: Update GITHUB_BASE_URI
2025-05-27 09:38:57 -07:00
libbsd
libbsd: upgrade 0.11.8 -> 0.12.1
2024-03-07 17:25:02 +00:00
libcap
libcap: fix CVE-2025-1390
2025-02-28 06:45:14 -08:00
libcap-ng
libcap-ng: update SRC_URI
2024-09-03 05:39:12 -07:00
libcheck
libcheck: add ghetto automake output
2023-05-25 10:29:08 +01:00
libdaemon
recipes: remove unused AUTHOR variable
2023-08-10 09:18:53 +01:00
libevdev
libevdev: upgrade 1.13.0 -> 1.13.1
2023-05-22 10:53:49 +01:00
libevent
libevent: fix patch Upstream-Status
2023-09-20 23:51:11 +01:00
libexif
libexif: remove unused version_underscore
2024-02-29 10:26:13 +00:00
libffi
libffi: upgrade 3.4.5 -> 3.4.6
2024-03-01 09:28:51 +00:00
libfm
lrzsz connman-gnome libfm: ignore various issues fatal with gcc-14
2024-06-20 06:29:43 -07:00
libgcrypt
libgcrypt: Fix building error with '-O2' in sysroot path
2024-12-06 05:50:25 -08:00
libgit2
libgit2: update 1.7.1 -> 1.7.2
2024-02-18 22:02:40 +00:00
libgpg-error
libgpg-error: fix build with gcc-15
2025-09-01 08:30:56 -07:00
libical
libical: upgrade 3.0.16 -> 3.0.17
2023-11-05 11:28:39 +00:00
libjitterentropy
abi_version/sstate: Handle pkgconfig output changes and bump output versions
2023-03-26 18:50:17 +01:00
libksba
libksba: upgrade 1.6.5 -> 1.6.6
2024-03-01 09:28:51 +00:00
libmd
libmd: upgrade 1.0.4 -> 1.1.0
2023-06-28 07:56:33 +01:00
libmicrohttpd
libmicrohttpd: upgrade 0.9.77 -> 1.0.1
2024-03-01 09:28:51 +00:00
libmpc
libmpc: upgrade 1.2.1 -> 1.3.1
2022-12-22 23:05:50 +00:00
libnl
libnl: change HOMEPAGE
2024-07-26 07:43:46 -07:00
libpcre
libpcre2: Update base uri PhilipHazel -> PCRE2Project
2024-10-18 06:04:40 -07:00
libproxy
libproxy: upgrade 0.5.3 -> 0.5.4
2024-02-17 18:19:19 +00:00
libpsl
libpsl: upgrade 0.21.2 -> 0.21.5
2024-01-24 15:46:19 +00:00
libseccomp
libseccomp: Fix build when python packageconfig is enabled
2024-04-12 17:27:53 +01:00
libsoup
libsoup: fix CVE-2025-4945
2025-07-11 08:11:53 -07:00
libssh2
libssh2: backport fix for CVE-2023-48795
2024-01-24 15:46:19 +00:00
libunistring
libunistring: upgrade 1.1 -> 1.2
2024-03-01 09:28:51 +00:00
libunwind
libunwind: ignore various issues now fatal with gcc-14
2024-06-20 06:29:43 -07:00
liburcu
liburcu: upgrade 0.13.2 -> 0.14.0
2023-02-19 07:47:53 +00:00
libusb
libusb1: Set CVE_PRODUCT
2024-06-05 05:57:12 -07:00
libxslt
libxslt: apply patch for CVE-2025-7424
2025-09-30 08:01:59 -07:00
libyaml
libyaml: Ignore CVE-2024-35325
2024-09-03 05:39:12 -07:00
lz4
cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
2023-07-21 11:52:26 +01:00
lzo
lzo: Add further info to a patch and mark as Inactive-Upstream
2022-05-27 23:50:48 +01:00
lzop
Revert "lzop: remove recipe from oe-core"
2024-02-09 16:18:05 +00:00
mpfr
mpfr: upgrade 4.2.0 -> 4.2.1
2023-09-02 18:23:05 +01:00
nettle
nettle: avoid neon on unsupported machines
2023-09-04 20:14:14 +01:00
nghttp2
nghttp2: Upgrade 1.60.1 -> 1.61.0
2024-04-08 23:33:32 +01:00
npth
meta/meta-selftest/meta-skeleton: Update LICENSE variable to use SPDX license identifiers
2022-02-20 16:45:25 +00:00
nss-myhostname
meta/meta-selftest/meta-skeleton: Update LICENSE variable to use SPDX license identifiers
2022-02-20 16:45:25 +00:00
numactl
numactl: Upgrade 2.0.17 -> 2.0.18
2024-02-21 22:20:10 +00:00
p11-kit
p11-kit: ignore various issues fatal with gcc-14 (for 32bit MACHINEs)
2024-06-20 06:29:43 -07:00
pinentry
pinentry: update 1.2.0 -> 1.2.1
2022-10-29 16:28:35 +01:00
popt
popt: update 1.18 -> 1.19
2022-11-22 12:26:46 +00:00
ptest-runner
ptest-runner: Update 2.4.4 -> 2.4.5
2024-10-18 06:04:40 -07:00
re2c
re2c: upgrade 3.0 -> 3.1
2023-08-14 12:51:21 +01:00
rng-tools
rng-tools: ignore incompatible-pointer-types errors for now
2024-07-09 06:02:55 -07:00
serf
serf: mark patch as inappropriate for upstream submission
2024-06-19 08:34:58 -07:00
shared-mime-info
shared-mime-info: drop itstool-native from DEPENDS
2024-11-26 06:11:30 -08:00
sqlite
sqlite3: fix CVE-2025-6965
2025-07-29 07:59:52 -07:00
taglib
taglib: upgrade 2.0 -> 2.0.1
2024-06-19 08:34:57 -07:00
user-creation
Convert to new override syntax
2021-08-02 15:44:10 +01:00
utfcpp
taglib: upgrade 1.13.1 -> 2.0 and add utfcpp recipe to support that
2024-03-07 17:25:03 +00:00
vim
vim: upgrade 9.1.1198 -> 9.1.1652
2025-09-01 08:30:56 -07:00
vte
vte: fix CVE-2024-37535
2024-07-23 06:05:47 -07:00
xxhash
xxhash: upgrade 0.8.1 -> 0.8.2
2023-08-14 12:51:21 +01:00